FP4 - no 1.6 update visible and strange Libreoffice Viewer installation - have I been hacked?

I am suspicious of my FP4 phone having been hacked.

What happened:

  1. while IMG-e-1.6-s-20221129238946-stable-FP4.zip was already available on images.ecloud.global/stable/FP4/ for at least a week, using the Updater did not provide access to the newer version, it always said that there were no newer updates available. The installed version at that time was IMG-e-1.5.1-s-20221102231514-stable-FP4.zip

  2. when doing a regular update from F-Droid, it first updated F-Droid, then it offered to update LibreOffice viewer (I do not remember whether I even had it installed anymore, I remember removing it due to a warning that it was using some outdated, unsafe libraries).

  3. after updating LibreOffice Viewer, F-Droid issued a warning that it was outdated and suggested to de-install it. However, the de-installation did not work and after checking in Settings → Apps → All Apps → LibreOffice Viewer, the app did not allow to deinstall, just to “Force stop” and “Disable” itself. This is not the normal behavior of LibreOffice Viewer as I remember it from earlier.

What I did then:

  1. after the above, I did a factory reset in the hope, after a factory reset the misbehaving app would have disappeared. However, the LibreOffice Viewer survived the factory reset and was still not deinstalleable.

  2. I then did a manual download and (re)installation of /e/OS IMG-e-1.5.1-s-20221102231514-stable-FP4.zip as described under https://doc.e.foundation/devices/FP4/install, in the hope that this would overwrite any existing installation. However, the LibreOffice Viewer survived also this procedure.

  3. I then manually deinstalled LibreOffice Viewer with “pm uninstall -k --user 0 org.documentfoundation.libreoffice”, this seemed to work, LibreOffice Viewer did not reappear also after restarting the device.

  4. after that, I did a manual download and installation of /e/OS IMG-e-1.6-s-20221129238946-stable-FP4.zip. The LibreOffice Viewer did not reappear anymore

My questions:

  1. Did anybody experience the same behavior regarding an update to /e/OS 1.6 (not available from /e/OS 1.5.1)?

  2. Just to verify: I assume that LibreOffice Viewer does not belong to the /e/OS preinstalled apps also on /e/OS 1.5.1, is this correct? (I did not find it listed on the /e/OS documentation and I have never seen it appear before, but just to verify)

  3. can anybody provide an alternative explanation why LibreOffice Viewer behaved in this strange way? As its version was declared an “alpha” version (, could the observed behavior be due to a problem in its package rather than a hacking attempt?

  4. On a normal PC, if I suspect a hacking, I would overwrite the disk with zeroes or random numbers and then install everything from scratch. What would be the best equivalent procedure on an android-based Smartphone? I distrust just reformatting as malicious code has been known to survive such procedures, but I would not know what I could overwrite via adb shell and what I need to preserve to avoid completely bricking the device.

  5. I seem to have a misunderstanding what a manual installation does, I was assuming that all system and data will be overwritten by the provided image files, but this seems to be incorrect. Can anyone point me to a good link which provides details, particularly how the above could happen?

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

The availability of /e/OS versions can differ between the downloads for manual install and the OTA updater.

This is correct. There’s a known security risk … LibreOffice Viewer security vulnerability.

It’s a system App included in /e/OS up to /e/OS 1.5, which explains your trouble getting rid of it.
This App was removed from /e/OS in version 1.6, see the release notes at Releases · e / os / releases · GitLab .

:+1: … (reference for others reading along, the additional -k option keeps the corresponding App data and cache directories around after package removal)

1 Like

Thanks for the reply
So the 2 events were not related, I worried for nothing and my faith in factory reset is restored :grin: